CVE-2025-24917: CWE-284: Improper Access Control in Tenable Network Monitor
In Tenable Network Monitor versions prior to 6.5.1 on a Windows host, it was found that a non-administrative user could stage files in a local directory to run arbitrary code with SYSTEM privileges, potentially leading to local privilege escalation.
AI Analysis
Technical Summary
CVE-2025-24917 is a high-severity vulnerability affecting Tenable Network Monitor versions prior to 6.5.1 running on Windows hosts. The vulnerability arises from improper access control (CWE-284) that allows a non-administrative user to stage files in a local directory, which can then be executed with SYSTEM privileges. This effectively enables local privilege escalation, where an attacker with limited user rights can gain full control over the affected system. The vulnerability is characterized by a CVSS 3.1 base score of 7.8, reflecting high impact on confidentiality, integrity, and availability. The attack vector is local (AV:L), requiring low attack complexity (AC:L) and low privileges (PR:L), but no user interaction (UI:N). The scope is unchanged (S:U), meaning the impact is confined to the vulnerable component or system. Exploitation could allow an attacker to execute arbitrary code with SYSTEM-level privileges, potentially leading to full system compromise, unauthorized access to sensitive data, and disruption of network monitoring capabilities. No known exploits are currently reported in the wild, and no official patch links are provided yet, but the vendor has reserved the CVE and published the advisory. The vulnerability specifically targets Windows hosts running Tenable Network Monitor, a widely used network security monitoring tool, which is often deployed in enterprise environments for continuous network visibility and threat detection.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those relying on Tenable Network Monitor for network security monitoring and vulnerability management. Successful exploitation could lead to full system compromise of monitoring infrastructure, undermining the integrity and availability of critical security data. This could delay detection of other threats, facilitate lateral movement by attackers, and potentially lead to broader network breaches. Given the SYSTEM-level privileges gained, attackers could disable security controls, exfiltrate sensitive information, or disrupt business operations. Organizations in sectors with stringent regulatory requirements such as finance, healthcare, and critical infrastructure could face compliance violations and reputational damage. The local nature of the exploit means that insider threats or attackers who have gained initial footholds with limited privileges could escalate their access rapidly. The absence of known exploits in the wild provides a window for proactive mitigation, but the high severity and ease of exploitation warrant immediate attention.
Mitigation Recommendations
European organizations should prioritize upgrading Tenable Network Monitor to version 6.5.1 or later as soon as it becomes available to address this vulnerability. In the interim, restrict local user access to systems running the vulnerable versions, enforcing strict access controls and monitoring for unusual file staging activities in local directories. Employ application whitelisting to prevent unauthorized code execution and leverage endpoint detection and response (EDR) solutions to detect suspicious behavior indicative of privilege escalation attempts. Regularly audit user permissions and remove unnecessary local accounts or privileges. Network segmentation can limit the impact of a compromised monitoring host. Additionally, implement robust logging and alerting mechanisms to identify potential exploitation attempts early. Organizations should also stay informed via vendor advisories and threat intelligence feeds for any emerging exploit developments and patches.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Switzerland
CVE-2025-24917: CWE-284: Improper Access Control in Tenable Network Monitor
Description
In Tenable Network Monitor versions prior to 6.5.1 on a Windows host, it was found that a non-administrative user could stage files in a local directory to run arbitrary code with SYSTEM privileges, potentially leading to local privilege escalation.
AI-Powered Analysis
Technical Analysis
CVE-2025-24917 is a high-severity vulnerability affecting Tenable Network Monitor versions prior to 6.5.1 running on Windows hosts. The vulnerability arises from improper access control (CWE-284) that allows a non-administrative user to stage files in a local directory, which can then be executed with SYSTEM privileges. This effectively enables local privilege escalation, where an attacker with limited user rights can gain full control over the affected system. The vulnerability is characterized by a CVSS 3.1 base score of 7.8, reflecting high impact on confidentiality, integrity, and availability. The attack vector is local (AV:L), requiring low attack complexity (AC:L) and low privileges (PR:L), but no user interaction (UI:N). The scope is unchanged (S:U), meaning the impact is confined to the vulnerable component or system. Exploitation could allow an attacker to execute arbitrary code with SYSTEM-level privileges, potentially leading to full system compromise, unauthorized access to sensitive data, and disruption of network monitoring capabilities. No known exploits are currently reported in the wild, and no official patch links are provided yet, but the vendor has reserved the CVE and published the advisory. The vulnerability specifically targets Windows hosts running Tenable Network Monitor, a widely used network security monitoring tool, which is often deployed in enterprise environments for continuous network visibility and threat detection.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those relying on Tenable Network Monitor for network security monitoring and vulnerability management. Successful exploitation could lead to full system compromise of monitoring infrastructure, undermining the integrity and availability of critical security data. This could delay detection of other threats, facilitate lateral movement by attackers, and potentially lead to broader network breaches. Given the SYSTEM-level privileges gained, attackers could disable security controls, exfiltrate sensitive information, or disrupt business operations. Organizations in sectors with stringent regulatory requirements such as finance, healthcare, and critical infrastructure could face compliance violations and reputational damage. The local nature of the exploit means that insider threats or attackers who have gained initial footholds with limited privileges could escalate their access rapidly. The absence of known exploits in the wild provides a window for proactive mitigation, but the high severity and ease of exploitation warrant immediate attention.
Mitigation Recommendations
European organizations should prioritize upgrading Tenable Network Monitor to version 6.5.1 or later as soon as it becomes available to address this vulnerability. In the interim, restrict local user access to systems running the vulnerable versions, enforcing strict access controls and monitoring for unusual file staging activities in local directories. Employ application whitelisting to prevent unauthorized code execution and leverage endpoint detection and response (EDR) solutions to detect suspicious behavior indicative of privilege escalation attempts. Regularly audit user permissions and remove unnecessary local accounts or privileges. Network segmentation can limit the impact of a compromised monitoring host. Additionally, implement robust logging and alerting mechanisms to identify potential exploitation attempts early. Organizations should also stay informed via vendor advisories and threat intelligence feeds for any emerging exploit developments and patches.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- tenable
- Date Reserved
- 2025-01-28T20:09:40.193Z
- Cisa Enriched
- false
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68309d5f0acd01a2492740ad
Added to database: 5/23/2025, 4:07:59 PM
Last enriched: 7/8/2025, 8:09:50 PM
Last updated: 8/13/2025, 11:51:31 PM
Views: 16
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.